SecureAuth IdP Version Affected: All
The Webservice Profile Provider fails to retrieve the profile for the user and the following error is logged in the debug log:
<EventID>52000</EventID><Timestamp>5/5/2018 10:00:00 AM</Timestamp><UserID></UserID><UserAgent></UserAgent><UserHostAddress></UserHostAddress>WebServiceProfileProvider.GetPropertyValuesBase: finding user 'bob' got exception: System.ServiceModel.CommunicationException: The maximum message size quota for incoming messages (262144) has been exceeded. To increase the quota, use the MaxReceivedMessageSize property on the appropriate binding element. ---> System.ServiceModel.QuotaExceededException: The maximum message size quota for incoming messages (262144) has been exceeded. To increase the quota, use the MaxReceivedMessageSize property on the appropriate binding element.
--- End of inner exception stack trace --
This can result in missing attributes in SAML assertions made by the realm as well as any other actions that rely on the profile.
A property being returned to the webservice realm is so large it makes the webservice response exceed the default limit in IIS (262144 bytes) and prevents the profile being loaded.
This is typically the "Fingerprints"or "Push Notification Tokens" property because the maximum number for each of these can be set to infinite and tend to grow over time as the user logs in using different machines/browsers or enrols new devices. However other properties can also grow to be too large.
To prevent a repeat of the problem consider configuring a limit on device/fingerprint enrolment realms:
Fingerprints (Total FP max count)
Device Push Notification Tokens (Max Device Count)
SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.
Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.